Updating via a wireguard connection

xxedgexx · April 28, 2023, 9:13pm

I would like to configure Qubes to do its updates via a connection to a wireguard service I have set up.

I understand how to set up a wireguard enabled template and a qubes based on that template following this:

which works great, but I would like to force package updates to also use a wireguard connection. I’m not quite sure what to alter to do this. Any help would be much appreciated.

-jeremy

disp6252 · April 29, 2023, 9:04am

You need to change UpdatesProxy for templates and for dom0. You can read more about it here:
Qubes-Whonix ™ UpdatesProxy Settings
Also you should use the new qrexec policy to change UpdatesProxy for templates:
Qubes Architecture Next Steps: The New Qrexec Policy System | Qubes OS

gonzalo-bulnes · April 29, 2023, 5:06pm

See also:

xxedgexx · May 1, 2023, 6:36am

I seem to be having issues with the Template updates. I cloned my wireguard VM from the fedora-37 template. Does anything else need to be running in that template for this to work?

The dom0 change via the global settings worked just fine, but the template updates is bailing out unable to pull down the repodata.

I see some conflicting posts that mention updating /etc/qubes-rpc/policy/qubes.UpdatesProxy

Is there a good way to debug? I’m not exactly sure where things are breaking down, but it seems to work fine for dom0.

Thanks!

xxedgexx · May 1, 2023, 6:46am

Also, to add to the bigger picture, I’m trying to use a custom yum repo. I assumed I would only have to set this repo in the templates I’m trying to update. Is there a more “Qubes” way to define yum repos that I might be missing?

disp6252 · May 1, 2023, 10:33am

Where and what exactly did you change to enable templates update via your wireguard VM?

Check journalctl in dom0 when you try to update your templates.

No, just configure repos in your templates in accordance with the recommendations for the template distribution.

xxedgexx · May 1, 2023, 7:14pm

It looks like the issue was I needed the qubes-updates-proxy service added to the wireguard qubes. After doing that, everything appears to be working as expected.

Thanks!

gonzalo-bulnes · May 2, 2023, 5:31am

Thanks for updating us with your findings @xxedgexx !

I marked your last post as the solution/answer to your original question so that it is easier to find for the next person with a similar question.

If that doesn’t seem right, please feel free to correct it or mark a different post as the solution!